Antivirus detection bypass by special crafted archive.
Release Date : 2005-10-05
Tested on: Windows 2000 SP2 & SP4
Tested with: Jotti Online Antivirus Scanner
Tested with: VirusTotal Online Antivirus Scanner
Tested with: Command line freeware UnRAR v3.50
Tested with: PowerZip v7.06
Discovered by: fRoGGz
Credit to: SecuBox Labs
-=====================================================================-
Analysis
__________
Specially crafted archive containing a virus will pass
through the antivirus system without detection.
An attacker can compress a malicious payload and evade
detection by some anti-virus software.
The bypassed malicious content does not pose a risk until
extracted from the RAR archive file. Malicious content
will be detected and eliminated by your Antivirus.
Contrary to Winzip or BitZipper which do not authorize the
opening of the file, Winrar & PowerZip open & extract it.
-=====================================================================-
Proof of Concept
________________
We have used: eicar.com
EICAR test is a 68 bytes file "detect" as if it were a virus.
For more information, visit:
Ref: [ http://shadock.net/secubox/AVCraftedArchive.html ]
Results for: SecuBox_AVPoC1.rar
_______________________________
[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[?] Avast Found nothing
[!] AVG Antivirus Found EICAR_Test (+187)
[!] BitDefender Found EICAR-Test-File (not a virus)
[!] CAT-QuickHeal Found Eicar.Test
[~] ClamAV Found nothing >> Suspect
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[!] Fortinet Found EICAR_TEST_FILE
[?] F-Prot Antivirus Found nothing
[!] Ikarus Found EICAR_Test
[?] Kaspersky Antivirus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Found Eicar.Mod
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[?] VBA32 Found nothing
Results for: SecuBox_AVPoC2.rar
________________________________
[?] AntiVir Found nothing
[!] ArcaVir Found Eicar.Test
[!] Avast Found EICAR Test-NOT!!
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[!] CAT-QuickHeal Found Eicar.Test
[~] ClamAV Found nothing >> Suspect
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[!] Ikarus Found EICAR_Test
[?] Kaspersky Antivirus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[!] Panda Found Eicar.Mod
[!] Sophos EICAR-AV-Test
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[?] VBA32 Found nothing
Results for: SecuBox_AVPoC3.cab
________________________________
[?] AntiVir Found nothing
[?] ArcaVir Found nothing
[?] Avast Found nothing
[!] AVG Antivirus Found EICAR_Test
[?] BitDefender Found nothing
[?] CAT-QuickHeal Found nothing
[?] ClamAV Found nothing
[?] Dr.Web Found nothing
[?] eTrust-Iris Found nothing
[?] eTrust-Vet Found nothing
[?] Fortinet Found nothing
[?] F-Prot Antivirus Found nothing
[?] Fortinet Found nothing
[?] Ikarus Found nothing
[?] Kaspersky Antivirus Found nothing
[?] McAfee Found nothing
[?] NOD32 Found nothing
[?] Norman Virus Control Found nothing
[?] Panda Found nothing
[?] Sophos Found nothing
[?] Symantec Found nothing
[?] TheHacker Found nothing
[?] UNA Found nothing
[!] VBA32 Found EICAR-Test-File
Unix test with ClamAV
_____________________
thot:~$ clamscan --no-summary SecuBox_AVPoC3.cab
SecuBox_AVPoC3.cab: OK
thot:~$ cabextract SecuBox_AVPoC3.cab
Extracting cabinet: SecuBox_AVPoC3.cab
extracting EICAR.com
All done, no errors.
thot:~$ clamscan --no-summary EICAR.com
EICAR.com: Eicar-Test-Signature FOUND
thot:~$
thot:~$ clamscan -V
ClamAV 0.87/1120/Fri Oct 7 13:06:49 2005
-==================================================-
CREDiTS
---------------------
SecuBox Labs - fRoGGz
Greet's fly out to: maew, Jordi Bosveld & VirusTotal